<%@ page import="java.sql.*" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@include file="db.jsp"%>

<%
    String username=request.getParameter("username");
    String password=request.getParameter("password");

    //无法使用sql注入进行非法访问的
   PreparedStatement pstmt=connection.prepareStatement("SELECT * from t_user t WHERE (t.username=? or t.phone=? or t.sno=?) AND t.`password`=?");
   pstmt.setString(1,username);
   pstmt.setString(2,username);
   pstmt.setString(3,username);
   pstmt.setString(4,password);
    try{
           ResultSet rs= pstmt.executeQuery();
           if(rs.next()){
               session.setAttribute("name",rs.getString("name"));
               response.sendRedirect("index.jsp");
           }else{
               request.setAttribute("msg","用户名密码错误");
               request.getRequestDispatcher("login.jsp").forward(request,response);
           }
    }catch (Exception e){

    }finally {
        connection.close();
    }
%>
